Global Privacy Program

Merck has implemented a comprehensive global privacy program that promotes accountable privacy and data protection practices across our business and with our collaborative partners and suppliers.

In 4Q 2013, our program was certified under the Asia Pacific Economic Cooperation Cross-Border Privacy Rules System. Merck is the first healthcare company in the world to achieve this certification. Our program is designed to assure that four core privacy values are embedded into the way we conduct our business, without regard to how our business, technology or other external factors may change.

Our global privacy program is structured around a system of five core elements consistent with recognized standards for implementing an accountable privacy program. While the principle of accountability was first recognized in the Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (the “Guidelines”) issued, in 1980, by the Organisation for Economic Co-operation and Development (OECD), the essential elements for an accountable privacy program were first expressed in 2009 by the Accountability Project, an initiative led by the Centre for Information Policy Leadership, with participation from privacy regulators, data protection authorities, business and academia. Merck established its system in 2010 and joined the Accountability Project in 2011.

In 2013, the OECD published its first revision to the Guidelines since 1980. The revised Guidelines set forth a new standard for implementing accountability through privacy management programs. Our global privacy program is consistent with the standards of the revised Guidelines. Our program is modeled for continuous improvement, based on changes within our business and in the external environment that affect inherent privacy risks and the effectiveness of our privacy controls. The five core elements are:

Awareness

Promote and maintain a corporate culture that respects privacy and protects information about people

Management acknowledgement and responsibility for ensuring that requirements are addressed

Metrics

Define baseline and target metrics to determine the effectiveness, maturity and risks associated with the privacy program

Collect and analyze data for each metric and evaluate program effectiveness, maturity and risks, and areas for enhancement, improvement and risk mitigation

Consistent with our privacy values, we continue to believe that trust is core to our privacy mission. We define Privacy TRUST as supporting each of the operational privacy and data protection principles to which we adhere:

T—Transparency: Being clear about how personal information is collected, used and disclosed (supports our privacy principle of Notice)

R—Respecting Choices: Such as whether or not people want to participate in our programs (supports our privacy principle of Choice)

U—Understanding Perspectives: Including that people have different levels of concerns about their privacy based on cultural perspectives and personal experiences (supports our privacy principle of Necessity)

Global Cross-Border Data Flows

As a U.S.-based corporation, we have relied on the Safe Harbor Framework for transfers of personal data from the European Economic Area (“EEA”) to the United States (the “Safe Harbor”) as a primary mechanism for facilitating cross-border data flow originating from European countries. We also have utilized the Safe Harbor principles to support the development of our comprehensive privacy program, including incorporation of Safe Harbor standards for movement of personal data to and from other countries.

Merck was one of the first pharmaceutical companies to certify its adherence to the Safe Harbor Framework. We first certified in November 2001. U.S. organizations that certify to the U.S.-EU Safe Harbor are recognized as providing adequate protection for personal data transferred from the EEA, and organizations that certify to the U.S.-Swiss Safe Harbor are recognized as providing adequate protection for personal data transferred from Switzerland. Our Safe Harbor certification applies to transfers of personal information about a broad range of stakeholders from the EEA and, since 2009, from Switzerland, including employees, customers, patients, clinical investigators, healthcare professionals and others. We have reaffirmed our adherence to the Safe Harbor annually since 2001.

In 2013, Merck became the first healthcare company in the world, and the second multinational company, to be certified under the new Asia Pacific Economic Cooperation Cross-Border Privacy Rules System (APEC CBPR). The APEC CBPR system provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies. Achievement of APEC certification demonstrates to our customers, patients and other stakeholders our strong commitment to accountable, values-based, privacy and data protection practices in every region of the world in which we operate.

Privacy Risk & Effectiveness

Consistent with our commitments to accountability and continuous improvement of our program, in 2011 we developed a quantitative approach to consistently evaluate privacy risk and determine the impact of control effectiveness on privacy risks across our operations. We continue to apply this approach to new activities and initiatives to provide consistent guidance on required privacy standards and controls. In connection with our annual privacy compliance review, we also evaluated global and country operations, and we utilized this quantitative approach to determine opportunities for improvement in specific areas and across our program.

Transparency & Privacy

We aspire to be a leader in privacy transparency practices. We aim to achieve this by explaining our privacy practices in ways that enable our stakeholders to make meaningful choices about how we collect, use and disclose personal information about them.

Since 2007, we have developed and published standardized comprehensive privacy notices for major categories of stakeholders about whom we collect, use and disclose personal information across our business. We adopted a format first proposed in 2007 for the U.S. financial services industry.1 This standard format uses a tabular approach to categorize the information provided in the notices in order to make them easier to understand, and easier for people who interact with us in multiple ways to compare our practices. All of our standardized comprehensive notices, available in multiple languages, are published online.

We recognize that health innovations continue at a rapid pace, and we strive to enhance our transparency practices to address these changes. In 2009, we updated our Internet Privacy Policy to include explanations of new ways in which we planned to collect personal information online using social media and mobile computing; the transparency standards we apply to these types of online technologies; and additional disclosures regarding collection of information from personal computers and other electronic devices. We also began implementing contextual privacy notices in our apps for mobile devices in 2009. Most of our privacy notices can be found in the description at the app store, as well as in the information, settings, email and reporting features of our mobile apps. In 2011, we began implementing reference notices to Merck privacy practices on social media platforms through which Merck engages stakeholders such as Facebook and Twitter. In 2012, we began implementing our first privacy notices for Merck apps hosted on social media platforms, such as Facebook. In recognition of growing regulatory concerns regarding mobile app privacy, in 2013, we published a new stand-alone overview regarding our mobile app privacy practices.

1 The proposed Model Privacy Notice was included in the Interagency Proposal for Model Privacy Form under the Gramm-Leach-Bliley Act, 72 FR 14940 (March 29, 2007).

Merck is actively engaged in policy and advocacy efforts to further privacy standards and next-generation policy frameworks that promote responsible collection, use and collaborative sharing of data in support of healthcare, biomedical research and other innovation.

In 2012, we engaged in constructive discussions with U.S., European and Latin American regulators, scholars and business privacy leaders on Phase IV of the CIPL Accountability Project, including presentation of our approach to privacy risk assessment and piloting of an organizational self-assessment tool for privacy accountability. The outcome of Phase IV was published in an Accountability Self-Assessment Tool released by CIPL in December 2012. In demonstration of our commitment to accountability as a key facet of our global privacy program, in 3Q 2012, Merck integrated the structure and standards of the Accountability Self-Assessment Tool into the management certification process that supports our annual privacy compliance verification. In 2013, Merck became a founding supporter of the Information Accountability Foundation, a charitable organization created to build upon the work of the Accountability Project to further accountability-based information governance that facilitates information-driven innovation while protecting individuals’ rights to privacy and autonomy.